minutework 0.1.35 → 0.1.36

package/assets/templates/mobile-app/package.json

@@ -12,6 +12,7 @@
   },
   "dependencies": {
     "@expo/metro-runtime": "~56.0.13",
+    "@minutework/native-auth": "^0.1.0",
     "expo": "~56.0.8",
     "expo-asset": "~56.0.15",
     "expo-constants": "~56.0.16",

package/assets/templates/mobile-app/src/mw/client.ts

@@ -1,251 +1,48 @@
-// MinuteWork substrate. Thin layer — do not put product UI/logic here.
-//
-// MinuteWork native token client. Implements the browser-assisted device flow
-// against the SHIPPED platform native-token endpoints (`/api/v1/native/session/*`).
-//
-// Authentication is owned by the MinuteWork platform. This client only *obtains
-// and uses* a platform-issued bearer token — there is NO JWT minting, NO password
-// handling, NO local user table, and NO parallel auth stack here. Token plaintext
-// is never logged.
-//
-// ----------------------------------------------------------------------------
-// Device flow (browser-assisted authorization):
-// ----------------------------------------------------------------------------
-//   1. authorize(): generate a PKCE code_verifier + S256 code_challenge, open the
-//      platform authorize URL in a system browser (`expo-web-browser`) with the
-//      app's deep-link redirect_uri + code_challenge + an anti-forgery `state`.
-//      The platform authenticates the human and redirects back to redirect_uri
-//      with a short-lived single-use `code` (and the echoed `state`).
-//   2. exchange(code, verifier): POST {code, code_verifier, redirect_uri} to
-//      `/token-exchange/`; the platform returns the access/refresh token pair.
-//   3. store the pair in the device keychain via `mwSession.setTokens(...)`.
-//   4. for every platform call, send `Authorization: Bearer <access>`. On a 401,
-//      POST the stored refresh token to `/refresh/`, persist the rotated pair,
-//      and retry once.
-//   5. logout(): POST `/logout/` to revoke, then `mwSession.clearTokens()`.
-//
-// This is the DIRECT platform path — there is no tenant-app BFF and no
-// server-owned cookie in front of the mobile client.
-
 import * as Crypto from "expo-crypto";
 import * as Linking from "expo-linking";
 import * as WebBrowser from "expo-web-browser";
-
 import {
-  nativeSessionSchema,
-  nativeTokenPairSchema,
-  type NativeSession,
-  type NativeTokenPair,
-} from "@/mw/contracts";
-import { platformNativeEndpoints } from "@/mw/endpoints";
+  createNativeAuthClient,
+  type NativeBrowser,
+  type NativeCrypto,
+} from "@minutework/native-auth";
+
+import { mwEnv } from "@/mw/env";
 import { mwSession } from "@/mw/session";
 
 // The deep-link path the platform redirects back to. The scheme is read from
 // `app.json` ("scheme") by expo-linking; the dev configures that scheme.
 const REDIRECT_PATH = "auth/native-callback";
 
-// Result of a single authorize round-trip: the one-time code plus the PKCE
-// verifier that must be presented at exchange.
-export interface NativeAuthorizationResult {
-  code: string;
-  codeVerifier: string;
-  redirectUri: string;
-}
-
-function base64UrlFromBytes(bytes: Uint8Array): string {
-  let binary = "";
-  for (const byte of bytes) {
-    binary += String.fromCharCode(byte);
-  }
-  // btoa is available in the Hermes/React Native runtime.
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-
-// PKCE code_verifier: 32 random bytes -> base64url (43 chars, no padding). This
-// is URL-safe and whitespace-free, matching the platform's `.strip()`ed verifier
-// and its 255-char cap.
-function generateCodeVerifier(): string {
-  return base64UrlFromBytes(Crypto.getRandomBytes(32));
-}
-
-// S256 challenge: base64url(SHA-256(verifier)). Mirrors the platform's
-// `build_pkce_code_challenge` (sha256 digest -> urlsafe base64 -> strip "=").
-async function deriveCodeChallenge(codeVerifier: string): Promise<string> {
-  const digestBase64 = await Crypto.digestStringAsync(
-    Crypto.CryptoDigestAlgorithm.SHA256,
-    codeVerifier,
-    { encoding: Crypto.CryptoEncoding.BASE64 },
-  );
-  return digestBase64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-
-function buildAuthorizeUrl(params: {
-  redirectUri: string;
-  state: string;
-  codeChallenge: string;
-}): string {
-  const url = new URL(platformNativeEndpoints.authorize);
-  url.searchParams.set("redirect_uri", params.redirectUri);
-  url.searchParams.set("state", params.state);
-  url.searchParams.set("code_challenge", params.codeChallenge);
-  return url.toString();
-}
-
-async function postJson(url: string, body: Record<string, unknown>): Promise<Response> {
-  return fetch(url, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      Accept: "application/json",
-    },
-    body: JSON.stringify(body),
-  });
-}
-
-// Surface a platform error without leaking response internals. The platform
-// returns `{detail: "..."}` for native auth failures.
-async function readErrorDetail(response: Response, fallback: string): Promise<string> {
-  try {
-    const data = (await response.json()) as { detail?: unknown };
-    if (data && typeof data.detail === "string" && data.detail.length > 0) {
-      return data.detail;
-    }
-  } catch {
-    // ignore non-JSON bodies
-  }
-  return `${fallback} (HTTP ${response.status})`;
-}
-
-export const mwClient = {
-  // Step 1: open the platform authorize URL in a system browser and resolve with
-  // the single-use authorization code + the PKCE verifier to exchange it.
-  async authorize(): Promise<NativeAuthorizationResult> {
-    const redirectUri = Linking.createURL(REDIRECT_PATH);
-    const codeVerifier = generateCodeVerifier();
-    const codeChallenge = await deriveCodeChallenge(codeVerifier);
-    const state = base64UrlFromBytes(Crypto.getRandomBytes(16));
-
-    const authorizeUrl = buildAuthorizeUrl({ redirectUri, state, codeChallenge });
-    const result = await WebBrowser.openAuthSessionAsync(authorizeUrl, redirectUri);
-
-    if (result.type !== "success" || !result.url) {
-      throw new Error("Sign in was cancelled before the platform returned a code.");
-    }
-
-    const returned = new URL(result.url);
-    const returnedState = returned.searchParams.get("state");
-    if (returnedState !== state) {
-      // Anti-forgery: the platform must echo back the exact state we sent.
-      throw new Error("Sign in failed: callback state did not match the request.");
-    }
-    const code = returned.searchParams.get("code");
-    if (!code) {
-      throw new Error("Sign in failed: the platform callback did not include a code.");
-    }
-
-    return { code, codeVerifier, redirectUri };
-  },
-
-  // Step 2: exchange the authorization code for a platform-issued token pair and
-  // persist it to the device keychain.
-  async exchange(
-    code: string,
-    codeVerifier: string,
-    redirectUri: string,
-  ): Promise<NativeTokenPair> {
-    const response = await postJson(platformNativeEndpoints.tokenExchange, {
-      code,
-      code_verifier: codeVerifier,
-      redirect_uri: redirectUri,
-    });
-    if (!response.ok) {
-      throw new Error(await readErrorDetail(response, "Token exchange failed"));
-    }
-    const pair = nativeTokenPairSchema.parse(await response.json());
-    await mwSession.setTokens(
-      pair.access_token,
-      pair.refresh_token,
-      pair.access_token_expires_at,
-    );
-    return pair;
+const nativeCrypto: NativeCrypto = {
+  randomBytes(length: number): Uint8Array {
+    return Crypto.getRandomBytes(length);
   },
-
-  // Step 4 (on 401 / proactive): rotate the access token using the stored refresh
-  // token and persist the rotated pair.
-  async refresh(): Promise<NativeTokenPair> {
-    const stored = await mwSession.getTokens();
-    if (!stored) {
-      throw new Error("No stored session to refresh. Sign in again.");
-    }
-    const response = await postJson(platformNativeEndpoints.refresh, {
-      refresh_token: stored.refresh,
-    });
-    if (!response.ok) {
-      // Refresh failure means the session is dead; clear it so the app routes
-      // back to login.
-      await mwSession.clearTokens();
-      throw new Error(await readErrorDetail(response, "Session refresh failed"));
-    }
-    const pair = nativeTokenPairSchema.parse(await response.json());
-    await mwSession.setTokens(
-      pair.access_token,
-      pair.refresh_token,
-      pair.access_token_expires_at,
+  async sha256Base64Url(input: string): Promise<string> {
+    const digestBase64 = await Crypto.digestStringAsync(
+      Crypto.CryptoDigestAlgorithm.SHA256,
+      input,
+      { encoding: Crypto.CryptoEncoding.BASE64 },
     );
-    return pair;
+    return digestBase64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
   },
+};
 
-  // Resolve the active session (user + active tenant + memberships) from the
-  // stored token, auto-refreshing once on a 401 then retrying.
-  async loadSession(): Promise<NativeSession> {
-    const stored = await mwSession.getTokens();
-    if (!stored) {
-      throw new Error("Not signed in.");
-    }
-
-    const meOnce = async (accessToken: string): Promise<Response> =>
-      fetch(platformNativeEndpoints.me, {
-        method: "GET",
-        headers: {
-          Accept: "application/json",
-          Authorization: `Bearer ${accessToken}`,
-        },
-      });
-
-    let response = await meOnce(stored.access);
-    if (response.status === 401) {
-      // Single refresh-and-retry on an expired/invalid access token.
-      const rotated = await this.refresh();
-      response = await meOnce(rotated.access_token);
-    }
-    if (!response.ok) {
-      throw new Error(await readErrorDetail(response, "Failed to load session"));
-    }
-    return nativeSessionSchema.parse(await response.json());
+const nativeBrowser: NativeBrowser = {
+  createRedirectUri(): string {
+    return Linking.createURL(REDIRECT_PATH);
   },
-
-  // Step 5: revoke the token pair on the platform, then clear local secure
-  // storage. Local state is always cleared, even if the revoke call fails.
-  async logout(): Promise<void> {
-    const stored = await mwSession.getTokens();
-    try {
-      if (stored) {
-        await fetch(platformNativeEndpoints.logout, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            Accept: "application/json",
-            Authorization: `Bearer ${stored.access}`,
-          },
-          body: JSON.stringify({}),
-        });
-      }
-    } catch {
-      // Best-effort revoke; never block local sign-out on a network error.
-    } finally {
-      await mwSession.clearTokens();
-    }
+  async openAuthSession(url: string, redirectUri: string): Promise<string | null> {
+    const result = await WebBrowser.openAuthSessionAsync(url, redirectUri);
+    return result.type === "success" && result.url ? result.url : null;
   },
 };
 
+export const mwClient = createNativeAuthClient({
+  platformBaseUrl: mwEnv.platformBaseUrl,
+  storage: mwSession,
+  crypto: nativeCrypto,
+  browser: nativeBrowser,
+});
+
 export type MwClient = typeof mwClient;

package/assets/templates/mobile-app/src/mw/session.ts

@@ -8,7 +8,11 @@
 
 import * as SecureStore from "expo-secure-store";
 
-import { storedTokensSchema, type StoredTokens } from "@/mw/contracts";
+import {
+  storedTokensSchema,
+  type NativeTokenStorage,
+  type StoredTokens,
+} from "@minutework/native-auth";
 
 const TOKEN_KEY = "mw.native.token_pair";
 
@@ -45,6 +49,6 @@ export const mwSession = {
   async clearTokens(): Promise<void> {
     await SecureStore.deleteItemAsync(TOKEN_KEY, SECURE_STORE_OPTIONS);
   },
-};
+} satisfies NativeTokenStorage;
 
 export type MwSession = typeof mwSession;

package/dist/runtime-package.d.ts

@@ -1,4 +1,4 @@
-import type { CompileGraph, RuntimeAppReleaseMetadata, SeedDataManifestDocument } from "@minutework/schema-compiler";
+import type { CompileGraph, PlatformChannelManifestDocument, RuntimeAppReleaseMetadata, SeedDataManifestDocument } from "@minutework/schema-compiler";
 export declare const MINUTEWORK_RUNTIME_APP_PACKAGE_VERSION = "MinuteWorkRuntimeAppPackageV1";
 export type RuntimeAppSourceBundleFile = {
     contentBase64: string;
@@ -14,6 +14,7 @@ export type RuntimeAppPackageArtifact = {
         sha256: string;
     };
     release: RuntimeAppReleaseMetadata;
+    platformChannelManifest: PlatformChannelManifestDocument | null;
     seedDataManifest: SeedDataManifestDocument | null;
     sourceBundle: {
         files: RuntimeAppSourceBundleFile[];

package/dist/runtime-package.js

@@ -16,6 +16,7 @@ export async function buildRuntimeAppPackage(options) {
         sidecarRoot,
     });
     const seedDataManifest = options.compileGraph.documents.seedDataManifests[0] ?? null;
+    const platformChannelManifest = options.compileGraph.documents.platformChannelManifests[0] ?? null;
     const artifactSetDigest = sha256Hex(JSON.stringify({
         compileGraph: options.compileGraph.documents,
         dependencyExport: {
@@ -24,7 +25,10 @@ export async function buildRuntimeAppPackage(options) {
         },
         release: options.releaseMetadata,
         sourceBundle: {
-            files: sourceBundle.files.map((file) => ({ path: file.path, sha256: file.sha256 })),
+            files: sourceBundle.files.map((file) => ({
+                path: file.path,
+                sha256: file.sha256,
+            })),
             sha256: sourceBundle.sha256,
         },
         template,
@@ -35,6 +39,7 @@ export async function buildRuntimeAppPackage(options) {
         compileGraph: options.compileGraph,
         dependencyExport,
         release: options.releaseMetadata,
+        platformChannelManifest,
         seedDataManifest,
         sourceBundle,
         template,
@@ -43,13 +48,16 @@ export async function buildRuntimeAppPackage(options) {
 }
 export function buildRuntimePackagePayload(packageArtifact) {
     const payload = JSON.parse(JSON.stringify(packageArtifact));
-    // Drop the camelCase artifact-surface field. The runtime install pipe
-    // consumes the snake_case `seed_data_manifest` key (see
-    // apps/mwv3-runtime-dj/apps/runtime_app_host/deployment_services.py:416).
+    // Drop camelCase artifact-surface fields. The runtime install pipe
+    // consumes snake_case manifest keys.
     delete payload.seedDataManifest;
+    delete payload.platformChannelManifest;
     if (packageArtifact.seedDataManifest !== null) {
         payload.seed_data_manifest = packageArtifact.seedDataManifest;
     }
+    if (packageArtifact.platformChannelManifest !== null) {
+        payload.platform_channel_manifest = packageArtifact.platformChannelManifest;
+    }
     return payload;
 }
 async function buildSourceBundle(root) {

package/dist/runtime-package.js.map

@@ -1 +1 @@
-{"version":3,"file":"runtime-package.js","sourceRoot":"","sources":["../src/runtime-package.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAQtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,CAAC,MAAM,sCAAsC,GAAG,+BAA+B,CAAC;AA+BtF,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,OAK5C;IACC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;IAC1F,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;IAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAA4B,CAAC;IAChG,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;IAC1D,MAAM,gBAAgB,GAAG,MAAM,qBAAqB,CAAC;QACnD,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,WAAW;KACZ,CAAC,CAAC;IACH,MAAM,gBAAgB,GACpB,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC9D,MAAM,iBAAiB,GAAG,SAAS,CACjC,IAAI,CAAC,SAAS,CAAC;QACb,YAAY,EAAE,OAAO,CAAC,YAAY,CAAC,SAAS;QAC5C,gBAAgB,EAAE;YAChB,IAAI,EAAE,gBAAgB,CAAC,IAAI;YAC3B,MAAM,EAAE,gBAAgB,CAAC,MAAM;SAChC;QACD,OAAO,EAAE,OAAO,CAAC,eAAe;QAChC,YAAY,EAAE;YACZ,KAAK,EAAE,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YACnF,MAAM,EAAE,YAAY,CAAC,MAAM;SAC5B;QACD,QAAQ;QACR,OAAO,EAAE,sCAAsC;KAChD,CAAC,CACH,CAAC;IAEF,OAAO;QACL,iBAAiB;QACjB,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,gBAAgB;QAChB,OAAO,EAAE,OAAO,CAAC,eAAe;QAChC,gBAAgB;QAChB,YAAY;QACZ,QAAQ;QACR,OAAO,EAAE,sCAAsC;KAChD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,eAA0C;IAE1C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,CAA4B,CAAC;IACvF,sEAAsE;IACtE,wDAAwD;IACxD,0EAA0E;IAC1E,OAAO,OAAO,CAAC,gBAAgB,CAAC;IAChC,IAAI,eAAe,CAAC,gBAAgB,KAAK,IAAI,EAAE,CAAC;QAC9C,OAAO,CAAC,kBAAkB,GAAG,eAAe,CAAC,gBAAgB,CAAC;IAChE,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,IAAY;IAC3C,MAAM,KAAK,GAAiC,EAAE,CAAC;IAE/C,KAAK,UAAU,KAAK,CAAC,WAAmB;QACtC,MAAM,YAAY,GAAG,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC;QAC7E,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAC9C,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACvF,OAAO;QACT,CAAC;QACD,IAAI,YAAY,CAAC,YAAY,CAAC,EAAE,CAAC;YAC/B,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACzC,IAAI,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;YAC1B,OAAO;QACT,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAC9C,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACvF,OAAO;QACT,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YACnB,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC;YACT,aAAa,EAAE,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC1C,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC5D,CAAC,CAAC;IACL,CAAC;IAED,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IACjE,OAAO;QACL,KAAK;QACL,IAAI,EAAE,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAChD,MAAM,EAAE,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;KACnG,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,qBAAqB,CAAC,OAGpC;IACC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IAC/D,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACzD,OAAO;YACL,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,SAAS,CAAC,YAAY,CAAC;SAChC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,KAA8B,CAAC;QAC7C,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,0BAA0B,CAAC,CAAC,CAAC;IACtF,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,gBAAgB,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC,CAAC;QAC3G,MAAM,UAAU,GAAG,OAAO,CAAC,YAAY,EAAE,UAAU,IAAI,iBAAiB,CAAC;QACzE,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE,QAAQ,CAAC,CAAC;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,UAAU,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,CAAC;QACjD,CAAC;QACD,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,EAAE,MAAM,CAAC,CAAC;QACpF,OAAO;YACL,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,uBAAuB;YAC7B,MAAM,EAAE,SAAS,CAAC,aAAa,CAAC;SACjC,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,EAAE,CAAC,EAAE,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,OAAe,EAAE,IAAc,EAAE,GAAW;IAC3E,OAAO,aAAa,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAa;IAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,YAAY,CAAC,YAAoB;IACxC,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,YAAY,CAAC;IACzD,OAAO,CACL,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC;QACvB,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC7B,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC;QAC/B,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC7B,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC7B,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC;QAC1B,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;QACzB,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAC1B,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC"}
+{"version":3,"file":"runtime-package.js","sourceRoot":"","sources":["../src/runtime-package.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAStC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,CAAC,MAAM,sCAAsC,GACjD,+BAA+B,CAAC;AAoClC,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,OAK5C;IACC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAC3B,OAAO,CAAC,aAAa,EACrB,OAAO,CAAC,eAAe,CAAC,WAAW,CACpC,CAAC;IACF,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;IAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CACzB,MAAM,EAAE,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CACb,CAAC;IAC7B,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;IAC1D,MAAM,gBAAgB,GAAG,MAAM,qBAAqB,CAAC;QACnD,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,WAAW;KACZ,CAAC,CAAC;IACH,MAAM,gBAAgB,GACpB,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC9D,MAAM,uBAAuB,GAC3B,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IACrE,MAAM,iBAAiB,GAAG,SAAS,CACjC,IAAI,CAAC,SAAS,CAAC;QACb,YAAY,EAAE,OAAO,CAAC,YAAY,CAAC,SAAS;QAC5C,gBAAgB,EAAE;YAChB,IAAI,EAAE,gBAAgB,CAAC,IAAI;YAC3B,MAAM,EAAE,gBAAgB,CAAC,MAAM;SAChC;QACD,OAAO,EAAE,OAAO,CAAC,eAAe;QAChC,YAAY,EAAE;YACZ,KAAK,EAAE,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;gBACvC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,MAAM,EAAE,IAAI,CAAC,MAAM;aACpB,CAAC,CAAC;YACH,MAAM,EAAE,YAAY,CAAC,MAAM;SAC5B;QACD,QAAQ;QACR,OAAO,EAAE,sCAAsC;KAChD,CAAC,CACH,CAAC;IAEF,OAAO;QACL,iBAAiB;QACjB,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,gBAAgB;QAChB,OAAO,EAAE,OAAO,CAAC,eAAe;QAChC,uBAAuB;QACvB,gBAAgB;QAChB,YAAY;QACZ,QAAQ;QACR,OAAO,EAAE,sCAAsC;KAChD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,eAA0C;IAE1C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,CAGzD,CAAC;IACF,mEAAmE;IACnE,qCAAqC;IACrC,OAAO,OAAO,CAAC,gBAAgB,CAAC;IAChC,OAAO,OAAO,CAAC,uBAAuB,CAAC;IACvC,IAAI,eAAe,CAAC,gBAAgB,KAAK,IAAI,EAAE,CAAC;QAC9C,OAAO,CAAC,kBAAkB,GAAG,eAAe,CAAC,gBAAgB,CAAC;IAChE,CAAC;IACD,IAAI,eAAe,CAAC,uBAAuB,KAAK,IAAI,EAAE,CAAC;QACrD,OAAO,CAAC,yBAAyB,GAAG,eAAe,CAAC,uBAAuB,CAAC;IAC9E,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,IAAY;IAEZ,MAAM,KAAK,GAAiC,EAAE,CAAC;IAE/C,KAAK,UAAU,KAAK,CAAC,WAAmB;QACtC,MAAM,YAAY,GAAG,qBAAqB,CACxC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC,CACjC,CAAC;QACF,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAC9C,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,CACpE,CAAC;YACF,OAAO;QACT,CAAC;QACD,IAAI,YAAY,CAAC,YAAY,CAAC,EAAE,CAAC;YAC/B,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACzC,IAAI,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;YAC1B,OAAO;QACT,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAC9C,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,CACpE,CAAC;YACF,OAAO;QACT,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YACnB,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAChD,KAAK,CAAC,IAAI,CAAC;YACT,aAAa,EAAE,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC1C,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC5D,CAAC,CAAC;IACL,CAAC;IAED,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IACjE,OAAO;QACL,KAAK;QACL,IAAI,EAAE,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAChD,MAAM,EAAE,SAAS,CACf,IAAI,CAAC,SAAS,CACZ,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAChE,CACF;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,qBAAqB,CAAC,OAGpC;IACC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IAC/D,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACzD,OAAO;YACL,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,SAAS,CAAC,YAAY,CAAC;SAChC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,KAA8B,CAAC;QAC7C,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,OAAO,CAC/B,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,0BAA0B,CAAC,CACnD,CAAC;IACF,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,QAAQ,CACf,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,gBAAgB,CAAC,EAChD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CACtC,CAAC;QACF,MAAM,UAAU,GAAG,OAAO,CAAC,YAAY,EAAE,UAAU,IAAI,iBAAiB,CAAC;QACzE,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE,QAAQ,CAAC,CAAC;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,UAAU,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,CAAC;QACjD,CAAC;QACD,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,QAAQ,CACrC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,EAClC,MAAM,CACP,CAAC;QACF,OAAO;YACL,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,uBAAuB;YAC7B,MAAM,EAAE,SAAS,CAAC,aAAa,CAAC;SACjC,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,EAAE,CAAC,EAAE,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,OAAe,EAAE,IAAc,EAAE,GAAW;IAC3E,OAAO,aAAa,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAa;IAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,YAAY,CAAC,YAAoB;IACxC,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,YAAY,CAAC;IACzD,OAAO,CACL,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC;QACvB,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC7B,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC;QAC/B,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC7B,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC7B,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC;QAC1B,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;QACzB,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAC1B,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "minutework",
-  "version": "0.1.35",
+  "version": "0.1.36",
   "description": "MinuteWork CLI for workspace scaffolding, local preview workflows, and hosted preview deploys.",
   "type": "module",
   "bin": {

package/vendor/workspace-mcp/types.d.ts

@@ -401,6 +401,33 @@ export declare const SchemaStatusSchema: z.ZodObject<{
                 mapping_id: z.ZodString;
                 version: z.ZodLiteral<"OntologyMappingManifestV1">;
             }, z.core.$strict>>;
+            platformChannelManifests: z.ZodArray<z.ZodObject<{
+                channels: z.ZodArray<z.ZodObject<{
+                    category: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
+                        label: z.ZodOptional<z.ZodString>;
+                        ordering: z.ZodOptional<z.ZodNumber>;
+                        slug: z.ZodString;
+                    }, z.core.$strict>]>;
+                    category_label: z.ZodOptional<z.ZodString>;
+                    category_ordering: z.ZodOptional<z.ZodNumber>;
+                    customer_visibility: z.ZodEnum<{
+                        hidden: "hidden";
+                        visible: "visible";
+                    }>;
+                    label: z.ZodString;
+                    landing_agent_ref: z.ZodOptional<z.ZodString>;
+                    landing_thread_kind: z.ZodOptional<z.ZodEnum<{
+                        "": "";
+                        channel: "channel";
+                        private: "private";
+                        guest_shared: "guest_shared";
+                    }>>;
+                    landing_title: z.ZodOptional<z.ZodString>;
+                    ordering: z.ZodNumber;
+                    slug: z.ZodString;
+                }, z.core.$strict>>;
+                version: z.ZodLiteral<"1">;
+            }, z.core.$strict>>;
             projectionContracts: z.ZodArray<z.ZodObject<{
                 app_id: z.ZodString;
                 contract_id: z.ZodString;

package/assets/templates/mobile-app/src/mw/contracts.ts

@@ -1,79 +0,0 @@
-// MinuteWork substrate. Thin layer — do not put product UI/logic here.
-//
-// Zod schemas for the MinuteWork platform *native* session payloads. These match
-// the SHIPPED platform native-token slice (`/api/v1/native/session/*`) response
-// shapes exactly (DRF emits snake_case). They describe API responses, not product
-// data. Keep them aligned with the platform serializers in
-// `apps/mwv3-platform-dj/apps/gateway_api/serializers.py`:
-//   - token pair  -> IssuedNativeAppSessionTokenPairSerializer
-//   - session/me  -> TenantSessionResponseSerializer
-//
-// Schemas use `.passthrough()` so additive platform fields never break parsing;
-// the client only depends on the fields it reads.
-
-import { z } from "zod";
-
-// A tenant the authenticated user belongs to. Mirrors `_serialize_membership`
-// on the platform; only the load-bearing fields are constrained, the rest pass
-// through. `role` may be an empty string for a membership with no role.
-export const nativeMembershipSchema = z
-  .object({
-    tenant_id: z.string().min(1),
-    tenant_slug: z.string(),
-    tenant_name: z.string(),
-    role: z.string(),
-  })
-  .passthrough();
-
-export const nativeActiveTenantSchema = nativeMembershipSchema;
-
-// Mirrors `_serialize_user`. `email` is not constrained to an email shape because
-// the platform may serialize a blank/non-email value.
-export const nativeUserSchema = z
-  .object({
-    id: z.string().min(1),
-    username: z.string(),
-    email: z.string(),
-  })
-  .passthrough();
-
-// Response of `/api/v1/native/session/me/` (and `/context/`):
-// `TenantSessionResponseSerializer`. `active_tenant_id` / `active_tenant` are
-// null when the user has no active membership.
-export const nativeSessionSchema = z
-  .object({
-    user: nativeUserSchema,
-    active_tenant_id: z.string().nullable(),
-    active_tenant: nativeActiveTenantSchema.nullable(),
-    memberships: z.array(nativeMembershipSchema),
-    onboarding_completed_for_active_workspace: z.boolean().nullable().optional(),
-  })
-  .passthrough();
-
-// Platform-issued bearer token pair returned by `/token-exchange/` and
-// `/refresh/`: `IssuedNativeAppSessionTokenPairSerializer`. `*_expires_at` are
-// ISO-8601 timestamps; the client uses the access expiry to refresh proactively.
-export const nativeTokenPairSchema = z
-  .object({
-    access_token: z.string().min(1),
-    refresh_token: z.string().min(1),
-    access_token_expires_at: z.string().min(1),
-    refresh_token_expires_at: z.string().min(1),
-  })
-  .passthrough();
-
-// What we persist in the device keychain: the two opaque tokens plus the access
-// token's expiry (ISO-8601). This is the on-device shape, distinct from the wire
-// shape above.
-export const storedTokensSchema = z.object({
-  access: z.string().min(1),
-  refresh: z.string().min(1),
-  expiresAt: z.string().min(1),
-});
-
-export type NativeMembership = z.infer<typeof nativeMembershipSchema>;
-export type NativeActiveTenant = z.infer<typeof nativeActiveTenantSchema>;
-export type NativeUser = z.infer<typeof nativeUserSchema>;
-export type NativeSession = z.infer<typeof nativeSessionSchema>;
-export type NativeTokenPair = z.infer<typeof nativeTokenPairSchema>;
-export type StoredTokens = z.infer<typeof storedTokensSchema>;

package/assets/templates/mobile-app/src/mw/endpoints.ts

@@ -1,42 +0,0 @@
-// MinuteWork substrate. Thin layer — do not put product UI/logic here.
-//
-// Builds absolute URLs for the MinuteWork *platform native* session endpoints.
-//
-// These endpoints are the DIRECT platform API surface for native clients
-// (`/api/v1/native/...`). The mobile app authenticates with a platform-issued
-// bearer token obtained through a browser-assisted device flow, then calls the
-// platform directly. This is intentionally NOT the tenant-app BFF cookie path
-// (the Next.js `platform_session_bff` profile) — there is no per-app server in
-// front of the mobile client.
-//
-// These routes are SHIPPED by the platform native-token slice and are called by
-// the real device-flow client in `src/mw/client.ts`.
-
-import { mwEnv } from "@/mw/env";
-
-const platformBaseUrl = new URL(
-  mwEnv.platformBaseUrl.endsWith("/")
-    ? mwEnv.platformBaseUrl
-    : `${mwEnv.platformBaseUrl}/`,
-);
-
-function buildPlatformEndpoint(path: string): string {
-  return new URL(path.replace(/^\//, ""), platformBaseUrl).toString();
-}
-
-export const platformNativeEndpoints = {
-  // Begin the browser-assisted device authorization flow.
-  authorize: buildPlatformEndpoint("/api/v1/native/session/authorize/"),
-  // Exchange the authorization result for an access/refresh token pair.
-  tokenExchange: buildPlatformEndpoint("/api/v1/native/session/token-exchange/"),
-  // Rotate an expired access token using the refresh token.
-  refresh: buildPlatformEndpoint("/api/v1/native/session/refresh/"),
-  // Resolve the current authenticated principal (user + active tenant).
-  me: buildPlatformEndpoint("/api/v1/native/session/me/"),
-  // Resolve / switch active tenant context for the session.
-  context: buildPlatformEndpoint("/api/v1/native/session/context/"),
-  // Revoke the current token pair.
-  logout: buildPlatformEndpoint("/api/v1/native/session/logout/"),
-} as const;
-
-export type PlatformNativeEndpoint = keyof typeof platformNativeEndpoints;